#!/usr/sbin/nft -f

# Well known ports      0:1023
# Registered ports      1024:49151
# Goldielocks zone      32768:65535
# Dynamic/Private       49152:65535
#
# WAN			86.83.121.29
# vps			185.66.250.42
# tor-exit		185.87.185.45

# To preent double enries when loading rules when rule smight already be present.
flush ruleset


# IPv6 specific
add table ip6 filter
add chain ip6 filter INPUT { type filter hook input priority 0; policy accept; }
add chain ip6 filter FORWARD { type filter hook forward priority 0; policy accept; }
add chain ip6 filter OUTPUT { type filter hook output priority 0; policy accept; }
#add chain ip6 filter clutter



# IPv4 & IPv6 combined
add table inet filter
add chain inet filter INPUT { type filter hook input priority 0; policy accept; }
add chain inet filter FORWARD { type filter hook forward priority 0; policy accept; }
add chain inet filter OUTPUT { type filter hook output priority 0; policy accept; }
add chain inet filter clutter

# Accept neighbour discovery otherwise IPv6 connectivity breaks
add rule inet filter INPUT ip6 nexthdr icmpv6 icmpv6 type { nd-redirect, nd-neighbor-solicit,  nd-router-advert, nd-neighbor-advert } accept # nd-redirect might not be required

#  accept dynamic IPv6 configuration and neighbor discovery
add rule ip6 filter INPUT icmpv6 type nd-neighbor-solicit accept
add rule ip6 filter INPUT icmpv6 type nd-router-advert accept

# Local loopback
add rule inet filter INPUT iifname != "lo" ip daddr 127.0.0.0/8 limit rate 5/minute burst 5 packets counter log prefix "iptables dropped 127.0.0.0/8," level debug
add rule inet filter INPUT iifname != "lo" ip daddr 127.0.0.0/8 counter drop
add rule inet filter INPUT iifname "lo" counter accept
add rule inet filter OUTPUT oifname "lo" counter accept

# Active connections
add rule inet filter INPUT ct state related,established counter accept
add rule inet filter OUTPUT ct state related,established counter accept

# ICMP ping
add rule inet filter OUTPUT icmp type echo-request counter accept

# SSH
add rule inet filter INPUT tcp sport 1024-65535 tcp dport 22 counter accept
add rule inet filter OUTPUT tcp sport 32768-65535 tcp dport 22 counter accept

# WHOIS
add rule inet filter OUTPUT tcp sport 32768-65535 tcp dport 43 counter accept

# DNS
add rule inet filter OUTPUT udp sport 1024-65535 udp dport 53 counter accept
add rule inet filter OUTPUT tcp sport 32768-65535 tcp dport 53 counter accept
add rule inet filter INPUT udp sport 1024-65535 udp dport 53 counter accept
add rule inet filter INPUT tcp sport 32768-65535 tcp dport 53 counter accept

# DHCP client
add rule inet filter INPUT ip daddr 255.255.255.255 udp sport 67 udp dport 68 counter accept
add rule inet filter OUTPUT udp sport 68 udp dport 67 counter accept

# HTTP(s)
add rule inet filter INPUT tcp dport 80 counter accept
add rule inet filter OUTPUT tcp sport 32768-65535 tcp dport 80 counter accept
add rule inet filter INPUT tcp dport 443 counter accept
add rule inet filter OUTPUT tcp sport 32768-65535 tcp dport 443 counter accept

# NTP
add rule inet filter OUTPUT udp sport 32768-65535 udp dport 123 counter accept

# Privoxy
add rule inet filter INPUT tcp sport 32768-65535 tcp dport 8118 counter accept comment "Privoxy"

# OpenPGP HTTP Key servers
add rule inet filter OUTPUT tcp sport 32768-65535 tcp dport 11371 counter accept comment "OpenPGP HTTP key servers"

# Traceroute
add rule inet filter OUTPUT udp sport 32768-65535 udp dport 6881-33534 counter accept comment "Traceroute"

# Attacks, crawls, scans, etc to clutter chain
add rule inet filter INPUT ip protocol icmp counter jump clutter
add rule inet filter INPUT ip daddr 255.255.255.255 counter jump clutter comment "Broadcast messages"
add rule inet filter INPUT udp dport 19 counter jump clutter comment "Character generator, looping to echo = DDoS"
add rule inet filter INPUT tcp dport 23 counter jump clutter
add rule inet filter INPUT udp dport 53 counter jump clutter
add rule inet filter INPUT udp dport 111 counter jump clutter comment "Probe/fingerprint Nix OS"
add rule inet filter INPUT tcp dport 445 counter jump clutter comment "MS-DS active directory"
add rule inet filter INPUT tcp dport 2323 counter jump clutter comment "3d-nfsd"
add rule inet filter INPUT udp dport 5060 counter jump clutter
add rule inet filter INPUT tcp dport 3389 counter jump clutter comment "MS terminal server RDP"

# Log & drop
add rule inet filter INPUT limit rate 5/minute burst 5 packets counter log prefix "iptables dropped: " level debug
add rule inet filter INPUT counter drop
add rule inet filter FORWARD limit rate 5/minute burst 5 packets counter log prefix "iptables forward dropped: " level debug
add rule inet filter FORWARD counter drop
add rule inet filter OUTPUT limit rate 5/minute burst 5 packets counter log prefix "iptables rejected: " level debug
add rule inet filter OUTPUT counter reject
add rule inet filter clutter limit rate 5/minute burst 5 packets counter log prefix "iptables clutter dropped: " level debug
add rule inet filter clutter counter drop